I quit infosec and I couldn't be happier

I have been an information security consultant for a long time. Software dev background. 2006 start app sec consulting -&gt; senior consultant —&gt; principal consultant -&gt; CTO (of small consulting firm) -&gt; get bought by NCC start my own company 10 yrs ago -&gt; CTO&#x2F;managing principal -&gt; sell company -&gt; still consulting. Done so many different things but the common theme is app sec. Finding bugs and risks in software via reversing, assessment, threat modeling, and code review.<p>Do I still love it after 17 years? no. A lot has changed. A lot has not. I still like it most days. By far my favorite thing has been building a team and teaching others what I learned. I hit burn out here and there. I think computers and tech are different and objectively a little less fun now for this field. When I started I could find a bug in a system and write an actual exploit (actual machine code!) for it by hand in a reasonable time scale and that was always really cool. Now teams of people are required to achieve the same exact goal. Just one of many examples.<p>So anyway, some get off my lawn cause I am older now, some is just me changing what I like and want from life, some is tech changes. It’s still a great field as a consultant. Show up. Hack. Write report. Leave. Never be a CISO, you can’t pay me enough to do it. The end.

This really resonates with me. I&#x27;m also passionate, and most corporate gigs I&#x27;ve had over 20 years kill my soul. I wish there was a place I could use my skills where they weren&#x27;t wasted, where I could perform at the top of my game and really make incredible things happen. The reality is I spend 90% of my time trying to work around some stupid bureaucratic limitation, and it&#x27;s not uncommon for my work to be literally thrown away after months or years of work.

Got to be honest, I only clicked on the link because &#x27;quitted&#x27; bothered me, but the Take-Aways are interesting.

If you&#x27;re looking to avoid burnout, it helps to think of your profession as something entirely separately from your identity. I&#x27;m not an &quot;aerospace engineer&quot; or a &quot;project manager&quot;, I am merely a man who plies the trades of engineering and project management during the day. That&#x27;s the service I provide to society in exchange for food, fuel, land, tools, weapons, medicine, textiles, etc. (I don&#x27;t think it&#x27;s a fair trade but that&#x27;s out of the scope of this discussion.) The parts of life that I actually consider meaningful parts of my identity occur outside of work and mostly revolve around my family, friends, religion, storytelling, and art.<p>This may kind of seem tautological, but I think adding the extra degree of mental separation (I am a man&#x2F;woman who practices X profession vs. I am X profession) can help clear your head and open new life avenues to you. If you spend 8 years grinding for a graduate degree and enter into an obscenely competitive job market and find little success, it&#x27;s easy to feel claustrophobic and like you&#x27;ve failed if you take a job outside your field. However if you think &quot;for 8 years I performed statistics, writing, lecturing, and reading, and now in order to make my fortune I&#x27;ll try another trade&quot; you feel feel less indebted to your past self and make more clearheaded decisions about what to do in life.

I had watched a few courses on information security and noticed that those working in the more management &#x2F; corporate related infosec roles seemed to be massively overweight, almost all of them (I am too, btw). Not saying that to shame anyone, just: Does the job make you miserable or stressed out?<p>I have been forced to do the infosec role as a &quot;side thing&quot; in a couple of jobs now, mainly because nobody else was around that even had the basic skills. One of the things that discouraged me from going further in that field is that it doesn&#x27;t seem to make people all that happy and fulfilled. Again, I may be wrong on that, as an outsider looking in.

&gt; The main warning I might just give to people is to keep proper distances between work and personal life<p>I&#x27;ve been thinking about this a lot lately. As a millennial, I&#x27;ve tied so much my self-worth into my career and recently, started questioning this belief and I think the next generation (i.e. Gen Z) might be on to something around quiet quitting, their generation placing extra emphasis on pursuing things that make them happy and viewing work as .... well, work.

Some general (unsolicited) advice ... for whatever field you&#x27;re interested in - go work for a company that sells that as a service.<p>E.g.,<p>- Don&#x27;t be an internal company accountant, go work for Big 4 accounting firm to sell your skills<p>- Don&#x27;t be in internal company IT Security, go work for a company who sells that skill<p>It&#x27;s all about moving up in the value chain. By moving up in the value chain, you&#x27;re more &quot;valued&quot; &#x2F; appreciated &#x2F; sought after.<p>You&#x27;re general happiness will be much better as a result, and you&#x27;ll also make much more money.

I&#x27;m probably oversummarizing, but this seems to boil down to burnout caused by (from the post):<p>&gt; But why don’t they just patch? It’s not that complicated after all.<p>And you kinda see this later on when the author talks about what they worked on post-transition out of infosec as a mainline career:<p>&gt; I finally joined Michelin in December 2016 where I started working in the CERT team where my main mission was to <i>automate scanning and reconnaissance phases</i> [emphasis added] on internet-facing assets and this was my real first experience on the other side of the story - defending infrastructure and where I finally experienced change management (and the complexity behind it), impact evaluation and so on.<p>It seems like the author burned out not because of the work but because wherever he ended up, there was no strategic initiative to streamline and automate patching to a point where it&#x27;s largely invisible. It&#x27;s also a hard problem given the risks of patching bringing reliant services down and the need to automate a slew of testing to validate that said patches won&#x27;t torpedo production and mission critical systems.<p>The bit above is important not just because it solves a problem but because (I&#x27;m convinced that) people like knowing they actually built something and enacted lasting change. And security may be one of the least likely engineering disciplines where you&#x27;ll experience building a tangible product as an IC.<p>At least in software security it&#x27;s a bit easier with build and deployment pipelines offering an opportunity to block when patches are outstanding, but I can see where the burnout would arise when a strategic effort to invisibly ensure patching isn&#x27;t in place or well funded. No one gets to build anything, and likewise, nothing gets solved because nothing was built.<p>---<p>So if I could add another takeaway:<p>• if your job involves running around and putting out fires, consider recommending up the chain and across the aisle all the ways to prevent the fires. And if those recommendations don&#x27;t catch fire (so to speak), may be worth exploring alternative means to address the burnout risk long term with the current role.

I have said it before and still say... InfoSec is a glorified policy writer.<p>You spent more time 90% of the time &quot;writing documentation&quot; rather than on finding the security problem and suggesting the fix. That&#x27;s why i choose development rather than InfoSec (despite having a knack for it), because its more technical and i don&#x27;t need to explain &quot;why&quot; everytime.

Does anyone else wonder what their life might have been if you had never gotten into tech? I sometimes think I may be happier, but certainly less wealthy. My free time would probably be just that, free time - instead of having the relentless drive I have to do another app, blog post, etc.<p>On the other hand - the &quot;hustle&quot; economy is everywhere now, not just tech. Everyone has a side gig, and the grass isn&#x27;t always greener. So, who knows.<p>Great post and best of luck in management.

I was a CISO for a Credit Union, and retired early. Couldn&#x27;t be happier now, I would never go back to infosec. The stress and anxiety was terrible. Infosec is a target for management if there is a breach, fortunately for me I never had an incident, though. After 3 years my mental state is so much better, I highly recommend retiring&#x2F;switching carreers if your unhappy in your job.

The truth is, a lot of this work is drudgery. You either get used to it or find something else to do.

&gt; Taking your passion and making it your day work is obviously tempting but also a risky game, as you will keep “working” tirelessly if you’re not putting barrier<p>Risky game indeed. It’s 1:24am here in Australia and I’ve finally stopped attempting to reverse a network protocol for an embedded device which I’m pentesting. Reading the article is a good reminder of what can happen if you push it too far. The challenge is with this type of work you often have to put in the hours, particularly if it’s a hard target..<p>If you lack the passion and drive you simply just won’t retain and develop the skills required to deliver. If seasoned pentesters disagree, then I’m all ears.

By default when I click the link I&#x27;m directed to a non-secure HTTP version of github, which I found ironic given the page title

This is about developer burnout, and doesn&#x27;t really point to anything in particular regarding infosec.

@PaulSec, Why didn&#x27;t you move to blue team side of things? It may have been more enjoyable catching actual threat actors and learning the latesr tech&#x2F;platform&#x2F;attack sp you can defend against it. Glad it worked out for you though.<p>I almost can&#x27;t imagine not working in infosec, it might feel like losing a limb I think. It&#x27;s not the assembly, exploits,etc... that does it for me but how I am never bored and always learning something new. The feeling when you find a compromise by sophisticated actor or even stop a compromise in progress, even if no one ever hears about it is amazing. I did networking and other types of jobs that were great too but eventually you master those more or less and start to get bored. I suspect pentesting is similar in that you learn new techniques all the time but the vulns you find are still the same stuff more or less? I have no idea, just guessing. I guess what I am trying to say is how rare it is to find someone with passion for infosec that applies themselves and how broad the industry is (maybe you might enjoy being an instructor or manager?) and how any job in infosec would love to have you because of your background.

Funny thing is i was mentioning milw0rm this morning to a colleague and remembering the old days when astalavista was a thing :) nice story thanks for sharing!

I have been working in infosec for 10 years now. I know this author doesn&#x27;t want to convince anyone, and I am happy that they are happy. :)<p>But I am kinda wondering why this brings so much attention? To me this reads like a long trip down memory lane. Is your takeaway: &quot;if your job and your hobby are too similar, then this will lead to burnout?&quot; Or is it &quot;a job in infosec will lead to burnout, because infosec has certain inherent problems?&quot;

For anybody tempted to skim or not read the article, the title [ps. &quot;quit&quot; is a bit less awkward - imo, natch :) ] is a bit misleading; the main takeaway at the end is the rather more positive:<p><i>Looking back, working in infosec was such a great experience and I recommend it to anyone who wants to jump in!</i><p>The reflections generally about knowing when to move on are more field-agnostic.

my friends, consider only working 4days a week, 6hrs a day, and your profession not defining you, your value nor your ego. Its not a simple matter but worth the effort. Full disclosure i struggle w self value statement constantly still

When I was 18-20 I was also passionate about infosec. But I liked development more and infosec didn&#x27;t seem at that time a domain that is very easy to find employment and gain money.

&quot;Quitted&quot;, srsly?<p>Yeah, blow my karma idk